cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2013-4545)
Impact
None. No F5 products are affected by this vulnerability.
Note: F5 products may use a version of cURL and libcurl that is affected by this vulnerability. However, those F5 products do not disable SSL_VERIFYPEER which is required for the vulnerability.